Everipedia Logo
Everipedia is now IQ.wiki - Join the IQ Brainlist and our Discord for early access to editing on the new platform and to participate in the beta testing.
Personally identifiable information

Personally identifiable information

Personal data, also known as personal information, personally identifying information (PII), or sensitive personal information (SPI),[2][3][4] is any information relating to identifying a person.

The abbreviation PII is widely accepted in the United States, but the phrase it abbreviates has four common variants based on personal / personally, and identifiable / identifying. Not all are equivalent, and for legal purposes the effective definitions vary depending on the jurisdiction and the purposes for which the term is being used. [1] Under European and other data protection regimes, which centre primarily around the General Data Protection Regulation, the term "personal data" is significantly broader, and determines the scope of the regulatory regime.[5]

National Institute of Standards and Technology Special Publication 800-122[6] defines personally identifying information as "any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information." So, for example, a user's IP address is not classed as PII on its own, but is classified as a linked PII.[7] However, in the European Union, the IP address of an Internet subscriber may be classed as personal data.[8]

The concept of PII has become prevalent as information technology and the Internet have made it easier to collect PII leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to aid in the planning of criminal acts. As a response to these threats, many website privacy policies specifically address the gathering of PII,[9] and lawmakers such as the European Parliament have enacted a series of legislation such as the General Data Protection Regulation (GDPR) to limit the distribution and accessibility of PII.[10]

Personally identifying information is a legal concept, not a technical concept, and it is not utilised in all jurisdictions. Because of the versatility and power of modern re-identification algorithms,[11][12][13] the absence of PII data does not mean that the remaining data does not identify individuals. While some attributes may not be uniquely identifying on their own, any attribute can be potentially identifying in combination with others.[14][15] These attributes have been referred to as quasi-identifiers or pseudo-identifiers.[16][17] While such data may not constitute PII in the United States, it is highly likely to remain personal data under European data protection law.[5]

Conceptions

The U.S. government used the term "personally identifiable" in 2007 in a memorandum from the Executive Office of the President, Office of Management and Budget (OMB),[18] and that usage now appears in US standards such as the NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (SP 800-122).[19] The OMB memorandum defines PII as follows:

A term similar to PII, "personal data" is defined in EU directive 95/46/EC, for the purposes of the directive:[20]

However, in the EU rules, there has been a clearer notion that the data subject can potentially be identified through additional processing of other attributes—quasi- or pseudo-identifiers. In the GDPR Personal Data is defined as:

Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person[21]

Another term similar to PII, "personal information" is defined in a section of the California data breach notification law, SB1386:[22]

The concept of information combination given in the SB1386 definition is key to correctly distinguishing PII, as defined by OMB, from "personal information", as defined by SB1386. Information, such as a name, that lacks context cannot be said to be SB1386 "personal information", but it must be said to be PII as defined by OMB. For example, the name John Smith has no meaning in the current context and is therefore not SB1386 "personal information", but it is PII. A Social Security Number (SSN) without a name or some other associated identity or context information is not SB1386 "personal information", but it is PII. For example, the SSN 078-05-1120 by itself is PII, but it is not SB1386 "personal information". However the combination of a valid name with the correct SSN is SB1386 "personal information".[22]

The combination of a name with a context may also be considered PII; for example, if a person's name is on a list of patients for an HIV clinic. However, it is not necessary for the name to be combined with a context in order for it to be PII. The reason for this distinction is that bits of information such as names, although they may not be sufficient by themselves to make an identification, may later be combined with other information to identify persons and expose them to harm.

According to the OMB, it is not always the case that PII is "sensitive", and context may be taken into account in deciding whether certain PII is or is not sensitive.[18]

Australia

In Australia, the Privacy Act 1988 deals with the protection of individual privacy, using the OECD Privacy Principles from the 1980s to set up a broad, principles-based regulatory model (unlike in the US, where coverage is generally not based on broad principles but on specific technologies, business practices or data items). Section 6 has the relevant definition.[23] The critical detail is that the definition of 'personal information' also applies to where the individual can be indirectly identified:

"personal information" means information or an opinion about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not. [emphasis added]

This raises the question of reasonableness: assume it is theoretically possible to identify a person from information which does not include a name or address, but does contain clues which could be pursued to find out who it relates to. How much extra effort does it take to make it unreasonable that such information could be identified? For instance, if the information involves an IP address, and the relevant ISP stores logs which could easily be inspected (if you had sufficient legal justification) to re-link the IP address to the account holder, can their identity be "reasonably ascertained"? If such linking used to be expensive, slow and difficult, but becomes easier, does this change the answer at some point?

It appears that this definition is significantly broader than the Californian example given above, and thus that Australian privacy law, while in some respects weakly enforced, may cover a broader category of data and information than in some US law.

In particular, online behavioral advertising businesses based in the US but surreptitiously collecting information from people in other countries in the form of cookies, bugs, trackers and the like may find that their preference to avoid the implications of wanting to build a psychographic profile of a particular person using the rubric of 'we don't collect personal information' may find that this does not make sense under a broader definition like that in the Australian Privacy Act.

Canada

  • Privacy Act governs the Federal Government agencies

  • Ontario Freedom of Information and Protection of Privacy Act and similar Provincial legislation governs Provincial Government agencies

  • Personal Information Protection and Electronic Documents Act governs private corporations, unless there is equivalent Provincial legislation

  • Ontario Personal Health Information Protection Act and other similar Provincial legislation governs health information

European Union

European data protection law does not utilize the concept of personally identifiable information, and its scope is instead determined by non-synonymous, wider concept of "personal data".

  • Article 8 of the European Convention on Human Rights

  • The General Data Protection Regulation adopted in April 2016. Effective 25 May 2018 supersedes the Data Protection Directive – 95/46/EC

  • Directive 2002/58/EC (the E-Privacy Directive)

  • Directive 2006/24/EC Article 5 (The Data Retention Directive)

Further examples can be found on the EU privacy website.[24]

United Kingdom

  • The UK (Data Protection Act 2018)[25]

  • The UK Data Protection Act 1998 – superseded by the UK Data Protection Act 2018

  • General Data Protection Regulation (Europe, 2016)

  • Article 8 of the European Convention on Human Rights

  • The UK Regulation of Investigatory Powers Act 2000

  • Employers' Data Protection Code of Practice

  • Model Contracts for Data Exports

  • The Privacy and Electronic Communications (EC Directive) Regulations 2003

  • The UK Interception of Communications (Lawful Business Practice) Regulations 2000

  • The UK Anti-Terrorism, Crime and Security Act 2001

New Zealand

The twelve Information Privacy Principles of the Privacy Act 1993 apply.

Switzerland

The Federal Act on Data Protection of 19 June 1992 (in force since 1993) has set up a strict protection of privacy by prohibiting virtually any processing of personal data which is not expressly authorized by the data subjects.[26] The protection is subject to the authority of the Federal Data Protection and Information Commissioner.[26]

Additionally, any person may ask in writing a company (managing data files) the correction or deletion of any personal data.[27] The company must respond within thirty days.[27]

United States

The Privacy Act of 1974 (Pub.L. 93–579, 88 Stat. 1896, enacted 31 December 1974, 5 U.S.C. § 552a), a United States federal law, establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies.

One of the primary focuses of the Health Insurance Portability and Accountability Act (HIPAA), is to protect a patient's Protected Health Information (PHI), which is similar to PII. The U.S. Senate proposed the Privacy Act of 2005, which attempted to strictly limit the display, purchase, or sale of PII without the person's consent. Similarly, the (proposed) Anti-Phishing Act of 2005 attempted to prevent the acquiring of PII through phishing.

U.S. lawmakers have paid special attention to the social security number because it can be easily used to commit identity theft. The (proposed) Social Security Number Protection Act of 2005 and (proposed) Identity Theft Prevention Act of 2005 each sought to limit the distribution of an individual's social security number.

NIST definition

The National Institute of Standards and Technology is a physical sciences laboratory, and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote innovation and industrial competitiveness

The following data, often used for the express purpose of distinguishing individual identity, clearly classify as personally identifiable information under the definition used by the National Institute of Standards and Technology (described in detail below):[19]

  • National identification number (e.g., Social Security number in the U.S.)

  • Bank account numbers

  • Passport number

  • Driver's license number

  • Credit card numbers

The following are less often used to distinguish individual identity, because they are traits shared by many people. However, they are potentially PII, because they may be combined with other personal information to identify an individual.

  • Full Name

  • Home Address

  • City

  • State

  • postcode

  • Country

  • Telephone

  • Age, Date of Birth, especially if non-specific

  • Gender or race

  • Web cookie[28]

When a person wishes to remain anonymous, descriptions of them will often employ several of the above, such as "a 34-year-old white male who works at Target". Note that information can still be private, in the sense that a person may not wish for it to become publicly known, without being personally identifiable. Moreover, sometimes multiple pieces of information, none sufficient by itself to uniquely identify an individual, may uniquely identify a person when combined; this is one reason that multiple pieces of evidence are usually presented at criminal trials. It has been shown that, in 1990, 87% of the population of the United States could be uniquely identified by gender, ZIP code, and full date of birth.[29]

In hacker and Internet slang, the practice of finding and releasing such information is called "doxing".[30][31] It is sometimes used to deter collaboration with law enforcement.[32] On occasion, the doxing can trigger an arrest, particularly if law enforcement agencies suspect that the "doxed" individual may panic and disappear.[33]

State laws and significant court rulings

  • California The California state constitution declares privacy an inalienable right in Article 1, Section 1. California Online Privacy Protection Act (OPPA) of 2003 SB 1386 requires organizations to notify individuals when PII (in combination with one or more additional, specific data elements) is known or believed to be acquired by an unauthorized person. In 2011, the California State Supreme Court ruled that a person's ZIP code is PII.[34]

  • Nevada Nevada Revised Statutes 603A-Security of Personal Information

  • Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth[35] In 2013, the Massachusetts Supreme Court ruled that ZIP codes are PII.[36]

Federal law

  • Title 18 of the United States Code, section 1028d(7) [60]

  • The Privacy Act of 1974, codified at 5 U.S.C. § 552a et seq. [61]

  • US "Privacy Shield" Rules [62] (EU Harmonisation)

Forensics

In forensics, particularly the identification and prosecution of criminals, personally identifiable information is critical in establishing evidence in criminal procedure. Criminals may go to great trouble to avoid leaving any PII, such as by:

  • wearing masks, sunglasses, or clothing to obscure or completely hide distinguishing features, such as eye, skin, and hair colour, facial features, and personal marks such as tattoos, birthmarks, moles and scars.

  • wearing gloves to conceal fingerprints, which themselves are PII. However, gloves can also leave prints that are just as unique as human fingerprints. After collecting glove prints, law enforcement can then match them to gloves that they have collected as evidence.[37] In many jurisdictions the act of wearing gloves itself while committing a crime can be prosecuted as an inchoate offense.[38]

  • avoiding writing anything in their own handwriting.

  • masking their internet presence with methods such as using a proxy server to appear to be connecting from an IP address unassociated with oneself.

Personal safety

Personal data is a key component of our Online identity and can be exploited by individuals. For instance, data can be altered and be used to create fake documents, hijack mail boxes and phone calls or harass people, like on the data breach from the EE Limited company.[39]

Another key case can be referred as Financial Identity Theft [40] , usually about bank account and credit card information being stolen, and then used or sold.[41]

Personal data can also be used to create fake Online identity, including fake accounts and profiles (that can be referred as Identity Cloning [42] , or Identity Fraud) for celebrities to gather data from other users more easily.[43] Even individuals can be concerned, especially for personal purpose (this is more widely known as Sockpuppet).

The most critical information, such as password, date of birth, ID documents or Social Insurance Number, can be used to log in to different websites (See Password reuse and Account verification) to gather more information and access more content.

Also, several agencies ask for discretion on subject related to their work, for the safety of their employees. For this reason, the United States Department of Defense (DoD) has strict policies controlling release of personally identifiable information of DoD personnel.[44] Many intelligence agencies have similar policies, sometimes to the point where employees do not disclose to their friends that they work for the agency.

Similar identity protection concerns exist for witness protection programs, women's shelters, and victims of domestic violence and other threats.

Trade of personal data

During the second half of the 20th century, the digital revolution introduced "privacy economics", or the trade of personal data. The value of data can change over time and in different contexts. Disclosing data can reverse information asymmetry, though the costs of doing so can be unclear. In relation to companies, consumers often have "imperfect information regarding when their data is collected, with what purposes, and with what consequences."[45]

Writing in 2015, Alessandro Acquisti, Curtis Taylor and Liad Wagman identified three "waves" in the trade of personal data:

  1. In the 1970s, the Chicago Boys school claimed that protection of privacy could have a negative impact on the market because it could lead to incorrect and non-optimal decisions. Other researchers like Andrew F. Daughety and Jennifer F. Reinganum suggested that the opposite was true, and that absence of privacy would also lead to this.[46]

  2. In the mid 1990s, Varian retook the Chicago Boys approach and added a new externality, stating that the consumer would not always have perfect information on how their own data would be used.[47] Kenneth C. Laudon developed a model in which individuals own their data and have the ability to sell it as a product. He believed that such a system should not be regulated, to create a free market.[48]

  3. In the 2000s, researchers worked on price discrimination (Taylor, 2004[49]), two-sided markets (Cornière, 2011[50]) and marketing strategies (Anderson and de Palma, 2012[51]). The theories became complex, and showed that the impact of privacy on the economy highly depended on the context.

See also

  • Anonymity

  • Bundesdatenschutzgesetz

  • De-identification

  • Personal identifier

  • Personal identity

  • Personal Information Agent

  • Protected health information

  • Pseudonymity

  • Privacy

  • Privacy law

  • Privacy laws of the United States

  • Obfuscation

  • Surveillance

  • General Data Protection Regulation

References

[1]
Citation Linkopenlibrary.orgIn other countries with privacy protection laws derived from the OECD privacy principles, the term used is more often "personal information", which may be somewhat broader: in Australia's Privacy Act1988 (Cth) "personal information" also includes information from which the person's identity is "reasonably ascertainable", potentially covering some information not covered by PII.
Sep 30, 2019, 4:02 AM
[2]
Citation Linkwww.va.gov"Management of Data Breaches Involving Sensitive Personal Information (SPI)". Va.gov. Washington, DC: Department OF Veterans Affairs. 6 January 2012. Archived from the original on 26 May 2015. Retrieved 25 May 2015.
Sep 30, 2019, 4:02 AM
[3]
Citation Linkwww.fas.orgStevens, Gina (10 April 2012). "Data Security Breach Notification Laws" (PDF). fas.org. Retrieved 8 June 2017.
Sep 30, 2019, 4:02 AM
[4]
Citation Link//www.worldcat.org/oclc/897789345Greene, Sari Stern (2014). Security Program and Policies: Principles and Practices. Indianapolis, IN, US: Pearson IT Certification. p. 349. ISBN 978-0-7897-5167-6. OCLC 897789345.
Sep 30, 2019, 4:02 AM
[5]
Citation Link//doi.org/10.15779%2FZ38Z814Schwartz, Paul M; Solove, Daniel (2014). "Reconciling Personal Information in the United States and European Union". California Law Review. 102 (4). doi:10.15779/Z38Z814.
Sep 30, 2019, 4:02 AM
[6]
Citation Linkwww.nist.gov"NIST Special Publication 800-122" (PDF). nist.gov. This article incorporates public domain material from the National Institute of Standards and Technology website https://www.nist.gov.
Sep 30, 2019, 4:02 AM
[7]
Citation Linkopenlibrary.orgSection 3.3.3 "Identifiability"
Sep 30, 2019, 4:02 AM
[8]
Citation Linkwww.irishtimes.com"European Court of Justice rules IP addresses are personal data". The Irish Times. 19 October 2016. Retrieved 10 March 2019.
Sep 30, 2019, 4:02 AM
[9]
Citation Linkopenlibrary.orgNokhbeh, Razieh (2017). "A study of web privacy policies across industries". Journal of Information Privacy & Security. 13: 169–185.
Sep 30, 2019, 4:02 AM
[10]
Citation Linkdata.consilium.europa.eu"Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)". European Data Consilium. 11 June 2015. Retrieved 3 April 2019.
Sep 30, 2019, 4:02 AM
[11]
Citation Link//www.ncbi.nlm.nih.gov/pubmed/23524645de Montjoye, Yves-Alexandre; César A. Hidalgo; Michel Verleysen; Vincent D. Blondel (25 March 2013). "Unique in the Crowd: The privacy bounds of human mobility". Scientific Reports. 3: 1376. Bibcode:2013NatSR...3E1376D. doi:10.1038/srep01376. PMC 3607247. PMID 23524645.
Sep 30, 2019, 4:02 AM
[12]
Citation Link//doi.org/10.1109%2FSP.2008.33Narayanan, A.; Shmatikov, V. (2008). "Robust De-anonymization of Large Sparse Datasets". 2008 IEEE Symposium on Security and Privacy (sp 2008). p. 111. doi:10.1109/SP.2008.33. ISBN 978-0-7695-3168-7.
Sep 30, 2019, 4:02 AM
[13]
Citation Link//doi.org/10.1109%2FSP.2009.22Narayanan, A.; Shmatikov, V. (2009). "De-anonymizing Social Networks". 2009 30th IEEE Symposium on Security and Privacy. p. 173. arXiv:0903.3276. doi:10.1109/SP.2009.22. ISBN 978-0-7695-3633-0.
Sep 30, 2019, 4:02 AM
[14]
Citation Link//doi.org/10.1145%2F1743546.1743558Narayanan, A.; Shmatikov, V. (2010). "Myths and fallacies of "personally identifiable information"". Communications of the ACM. 53 (6): 24. doi:10.1145/1743546.1743558.
Sep 30, 2019, 4:02 AM
[15]
Citation Link//ssrn.com/abstract=1450006"Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization". 13 August 2009. SSRN 1450006. Missing or empty |url= (help)
Sep 30, 2019, 4:02 AM
[16]
Citation Linkwww.jos.nuDelanius, Tore (1986). "Finding a needle in a haystack – or identifying anonymous census record". Journal of Official Statistics.
Sep 30, 2019, 4:02 AM
[17]
Citation Linkec.europa.euOpinion 05/2014 on Anonymisation Techniques Article 29 Data Protection Working Party
Sep 30, 2019, 4:02 AM
[18]
Citation Linkwww.whitehouse.govM-07-16 SUBJECT:Safeguarding Against and Responding to the Breach of Personally Identifiable Information FROM: Clay Johnson III, Deputy Director for Management (2007/05/22)
Sep 30, 2019, 4:02 AM
[19]
Citation Linknvlpubs.nist.gov"Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)" (PDF). Special Publication 800-122. NIST.CS1 maint: others (link)
Sep 30, 2019, 4:02 AM
[20]
Citation Linkeur-lex.europa.eu"Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data". Eur-lex.europa.eu. Retrieved 20 August 2013.
Sep 30, 2019, 4:02 AM